[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] SecureClient and NAT at Client end
hi ! > I was under the understanding that NAT and > SecureClient would not > successfully work without making some changes to the > Objects.C and Userc.C > files to enable UDP Encapsulation, however that does > not appear to be the case. Quoting http://www.phoneboy.com/faq/0141.html -------------------------- By default, FireWall-1 4.1 SP2 and later that has had these changes made will invoke this mode if the UDP port 500 packet coming from the SecuRemote client has a source port that is not port 500. This mode can be forced on the client by going into userc.C on the Secure Client and adding the following under the options section: ....... --------------------------- Usually, by doing nat, the sourceport of the udp packet will be changed by the nating device. So the udp encapsulation mode will be invoked automatically. > Here is my set-up: > Firewall running 4.1 SP4 > Clients running SecureClient 4.1 SP4 build > 4188 > > On my Firewall, my encryption domain is defined by a > group of network > objects which include the specific 192.168.x.0 > networks used within the > company. In the Userc.C file I see these specific > networks defined. > > Here are the situations: > > 1 user has set-up Microsoft Internet Sharing on his > home network. When he > has the default network, 192.168.0.x in use, the VPN > connections to the > company failed. However when he changed the > internal network to 10.0.0.x > the VPN connection was successful. > > A second user has a Linskis Router inside is ADSL > modem for his internal > network, using Hide NAT. Again if he used the > default 192.168.1.x network > for his internal network the VPN failed, however > when he changed it to > 10.0.0.x the VPN connection succeeded. Hmm... At the first look, i`d say, that it looks like a wrong Subnet mask ??? --> Take a quick look into the userc.c file of the securemote client, and check for the definition of the encryption domain. (btw: did the encryption/authentication/connection to the firewall fail, or did the client not even try to authenticate to the firewall ????) hope this helps Michael __________________________________________________ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|